Analysis and opinion by Christopher Soghoian, security and privacy researcher.

Monday, August 17, 2009

Going Fed

This week will be my last at Harvard's Berkman Center for Internet & Society. It has been a fantastic place to work, and for the first time in my academic life, I found a supportive environment where it is OK to be interested in both technology and law/policy. I will miss Berkman and the friends I made there sorely (but not the horrible Boston weather).

In two weeks, I will move to Washington DC, where I will begin working half time as a technical consultant to the Division of Privacy and Identity Protection in the Bureau of Consumer Protection at the US Federal Trade Commission. As I understand it, the FTC has a lot of really smart lawyers, but they (currently) lack geek skills.

David Vladeck, the new head of the Bureau of Consumer Protection recently told the New York Times that "he would hire technologists to help analyze online marketers’ tracking." I guess that means people like me.

Those regular blog readers who are used to my usual acerbic writing style may be disappointed. I expect that my writing on this blog will dry up -- with the occasional post to announce new research papers or updates to TACO. While I haven't been told to do this, I am assuming that it is simply no longer appropriate to use this blog to shame the corporations that continue to do harm to user online privacy -- at least as long as I am also on the government's payroll.

Hopefully, there will be other ways that I can help to achieve this positive change from within the DC beltway.

I also recognize that many people might find it surprising that I am going to work for the US government. After all, I have spent much of my public blogging railing against the oppressive surveillance state and the numerous privacy invasions committed by the law enforcement and intelligence agencies.

My position at the FTC will involve no classified work, I have not, and will not get a security clearance, and I intend to be solely focused on things that improve consumer privacy, not hurt it. The FTC is not in the business of violating the rights of Americans. There are other agencies that seem to be taking care of that.

I will be at the FTC half time. The other (unpaid) half of my time will be spent wrapping up my dissertation, writing research papers, and continuing to work on TACO.

There are likely to be some users of TACO who are not terribly keen on the idea of running code on their computers designed and maintained by someone who is paid by the US government. TACO is open source, which means anyone can look through the source code online to see if there are any hidden backdoors (there aren't). Furthermore, Mozilla won't roll out an update to the 100,000 TACO users until a Mozilla volunteer has looked through the code and verified that it is safe.

As an additional layer of safety for paranoid TACO users, I have added two new people to the TACO development team: Sid Stamm, and Dan Witte, both employees of Mozilla. Sid is also a paranoid security geek, and Dan is in charge of the cookie related code within the Firefox browser. Dan also rewrote the most recent version of TACO to make it several times faster.

Both have agreed to lend a hand if and when I encounter technical problems with future TACO versions (since, my coding skills are not so great). However, they will also be able to act as a layer of protection, should someone try to force me to make changes to the TACO codebase. Defense in depth, I suppose.

Congrats, Chris and FTC team! This is a good partnership and reflects well on both parties. Chris -- you've done a great job nudging industry forward and proving once again that a determined individual can make a difference.

Christopher Soghoian, Ph.D. is a Washington, DC based privacy and security researcher. He is the Principal Technologist in the Speech, Privacy and Technology Project at the American Civil Liberties Union.